AWS Shield¶
Purpose¶
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. This document outlines the use of AWS Shield within the NHSBSA BSA Cloud platform.
Requirement¶
The NHSBSA BSA Cloud platform utilises AWS Shield to protect against DDoS attacks. The following standards apply:
-
AWS Shield Standard: All services deployed on the BSA AWS Cloud platform automatically benefit from AWS Shield Standard, which provides protection against common and most frequently occurring DDoS attacks at no additional cost.
-
AWS Shield Advanced: This service provides additional detection and mitigation capabilities, 24/7 access to the AWS DDoS Response Team (DRT), and financial protections against DDoS-related costs. NHSBSA have subscribed to AWS Shield Advanced at the organisational level to provide enhanced protection for critical services. Services can use Shield Advanced for free as part of this subscription. Production accounts must use AWS Shield Advanced for all internet-facing applications. It's recommended to also enable Shield Advanced for non-production environments hosting critical services.
Services must currently enable AWS Shield Advanced manually, documentation on how to do this can be found in the playbook HERE. In the future Shield Advanced will be enabled by default for all accounts within the BSA AWS Cloud platform.